They found everything from youngsters snogging to «national security at risk».

Thus far, they have found:• 290 vulnerable control systems, in banks, schools, nursing homes - and a military camp• 2048 surveillance cameras in private homes, night clubs, shops and restaurants• 2500 control systems connected to the Internet with minimal or no security• 500 of these control industrial or critical infrastructure• Thousands of data bases and servers that give away content without passwords

These are all found in Norway. Guess if it is any better in your country?

- Probably not. But Norway is of a size possible to investigate as a whole - if you have the time to do it. So we did just that, says journalist Linn Hillestad.

Alarm!
The series uncover what failed computer security may lead to, not in theory, but in reality. On the road, the journalists confronted people and businesses unaware of their security issues.

For example:• Open servers belonging to 39 of 44 fire departments in one county• Sensitive civil documents about the new military airport• 15 entry points into the Railway Administration's fire alarm system• Sensitive data about children with secret identities• Control of apartment buildings• People making out in front of the camera

Amateurs
- What can individuals with no specialized computer security or hacking skills find online? That is the elementary level we started at, says journalist Espen Sandli.

- Mountains of articles are written about security risks on the Internet. We wanted to take it a step further. We wanted to show precisely what fails, where it happens, and what the consequences are for real people, Hillestad says.

- It frightens me to see what Dagbladet's journalists, with no specialized computer skills, are able to find. What, then, about state powers, organized criminals and hackers, asks senior advisor Vidar Sandland at Norwegian center for information security (NORSIS).

You have been tested!
With the help of in-house developer Ola Strømman, Dagbladet have also developed a test, where you can see if there are any known security gaps registered on your IP-address. The test engine is considered a guide, and is by no means exhaustive or a guarantee of someone's full and complete data security.

Selected quotes:

Journalist: - You say it does not work. So then, can we be allowed to push this button?Owner: - No, absolutely not, absolutely not!

- It is not a question of whether we will be exposed to an attack on our infrastructure; it is a question of when. (Chief Commander of the Cyber Military Defense)

- This is unbelievably foolish, especially after the 22th of July terror. (Politician)

- If anyone would like to blow this factory to pieces - they could just turn this valve here. (Factory owner)

- Such recordings can easily be used for blackmail. (Data protection authorities)

- I think this will be the end for my data company. Such a leak is that serious. But, by God I am glad that I was made aware. (Owner)

- Cyber Crime has become a major industry, more lucrative than the drug trade, according to Interpol. Dagbladet therefore makes an important contribution to increasing the security of us all by putting the spotlight on threats that new technology exposes us to. (National Security Agency)

So far, the test shows that one in four has a potential flaw in their security.

What goes wrong?
As an introduction to the readers, Dagbladet has created an interactive guide to possible security holes.

During this project Dagbladet has investigated 535 320 unique Norwegian IP-addresses and 707 358 open gateways.

Not Like Google
The search engine Shodan is a vital tool. It is a search engine that finds units connected to the Internet, like servers, cell phones, web cams, hard drives or large critical control systems (so-called SCADA systems). Shodan works very differently from Google and other search engines familiar to most people.

- Google lets you search web pages, and these are only a small part of the internet. There are a number of types of software that Google can't see. Shodan discovers these units, explains Shodan founder John Matherly.

- Shodan focuses on devices and the software, while Google's focus is on the data delivered. In other words, Shodan searches for the meta data, while Google searches for the data as such, he says.

Fingerprints
- Shodan is not easy, like Google. We search for «fingerprints», like the version number of a particular unit from a particular manufacturer, says Hillestad.

The team behind the series «Null CTRL» (Zero CTRL) has found and refined several hundred such search terms.

- Stories based on Shodan have been done before, but then with experts doing the research. The two journalists in Dagbladet have done the work themselves, and on an immensly large scale. It's seriously impressive and far beyond any expectations I had, Matherly says.

He wish there would be more journalists who realize what a research tool this is in drawing greater attention to the issue of computer security.

This is where we stop
- Has Dagbladet taken up hacking?

- Definitely not. We ran through the legal and ethical elements of the project with lawyers and experts before we started. We feel it is important to emphasize the fact that Dagbladet is not involved in hacking, Hillestad says.

OPEN SERVER: Sensitive civil documents about Norway's new military airport was available online. Foto: Øistein Norum Monen/Dagbladet
Vis mer

- If we are asked for a password to gain entrance somewhere, we do not proceed, Sandli states.

Which means that Dagbladet's mapping of failing security stops where someone has set a password. This is as true in the cases where the password is easily guessed.

- Many people never change the password that came with the device. That makes it very easy to acquire access for individuals who make other ethical and legal assessments than we do, says Hillestad.

Handed over lists
The journalists have alerted the owners, network providers and/or security authorities prior to publication, making sure security holes are fixed.

HOT OR COLD?: Dagbladet was able to control the heating in a whole block of apartment buildings here in the city Drammen.
Vis mer

The Norwegian newspaper has published more than 60 separate stories on its findings. In addition to news stories, huge amounts of flaws add up in statistics.

But from time to time, findings are so severe that someone really need to be told. Dagbladet has handed over lists of 2500 possibly critical IP-addresses to the national security authorities, owners and/or network providers.

SPY IN THE BEDROOM: The journalists traced people visiting a web camera placed in a bedroom at a cabin. The owner knew nothing about the 98 visits per week - apparently from 12 different countries.
Vis merHIDDEN IDENTITIES: The team found 6000 files on taxi customers on an open data base. Much of the data is sensitive and private, among them information about children with hidden identities and secret addresses.
Vis merContact us: nullctrl@dagbladet.no
Vis mer